使用IOS XR配置GRT和VRF之間的路由洩漏

下載選項

  • PDF     (471.7 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (153.5 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (106.4 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2023 年 2 月 7 日
文件 ID:218336

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本檔案介紹使用Cisco IOS® XR軟體設定從Global Routing Table(GRT)到VRF的路由漏的程序。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 基本IP路由知識
    • Cisco IOS和Cisco IOS XR命令列知識

    採用元件

    此程式不限於Cisco IOS XR中的任何軟體版本,因此,所有版本均可用於完成後續步驟。 

    本文中的資訊係根據以下軟體和硬體版本:

    • 採用Cisco IOS XR軟體的路由器
    • 採用Cisco IOS軟體的路由器

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    背景資訊

    本演示的目的是顯示全域性路由表與之間的路由洩漏的配置 vrf  Cisco IOS XR上的路由表。

    拓撲

    Topology for Network

    初始驗證

    介面和靜態路由配置

    ASR9901-1

    RP/0/RSP0/CPU0:ASR9901-1#show run interface gi0/0/0/0 Wed Oct 19 15:21:21.122 UTC interface GigabitEthernet0/0/0/0 cdp vrf ORANGE ipv4 address 192.168.10.1 255.255.255.0 ! 
    RP/0/RSP0/CPU0:ASR9901-1#show run router static Tue Feb 7 19:24:42.730 UTC router static vrf ORANGE address-family ipv4 unicast 172.16.20.0/24 192.168.10.2 

    ASR9901-2

    RP/0/RSP0/CPU0:ASR9901-2#show run int gi0/0/0/0
Wed Oct 19 15:40:18.599 UTC
interface GigabitEthernet0/0/0/0
 cdp
 vrf ORANGE
 ipv4 address 192.168.10.2 255.255.255.0
!
    RP/0/RSP0/CPU0:ASR9901-2#show run int gi0/0/0/6
Wed Oct 19 15:41:08.593 UTC
interface GigabitEthernet0/0/0/6
 cdp
 ipv4 address 172.16.20.1 255.255.255.0
!

    CISCO 2911-3

    CISCO2911-3#show run interface gigabitEthernet0/1
Building configuration...

Current configuration : 100 bytes
!
interface GigabitEthernet0/0
 ip address 172.16.20.2 255.255.255.0
 duplex auto
 speed auto
end

    CISCO2911-3#show run | section ip route
ip route 192.168.10.0 255.255.255.0 172.16.20.1    

    使用ping測試連線,例如,ASR9901-1可以ping通VRF橙色路由器上的ASR9901-2。

    RP/0/RSP0/CPU0:ASR9901-1#ping vrf ORANGE 192.168.10.2
    Wed Oct 19 15:57:50.548 UTC
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

    ASR9901-2可對預設vrf(GRT)上的CISCO2911-3執行ping操作。

    RP/0/RSP0/CPU0:ASR9901-2#ping 172.16.20.2
Wed Oct 19 15:58:05.961 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

    如果您嘗試測試從ASR9K-1(VRF ORANGE)上的子網192.168.10.0/24到路由器2911上的子網172.16.20.0/24的可達性,此測試必須失敗,因為ASR9K-2上未實施任何配置以完成VRF ORANGE和GRT之間的連線。

    RP/0/RSP0/CPU0:ASR9901-1#ping 172.16.20.2 vrf ORANGE
Wed Oct 19 19:45:11.801 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

    組態

    步驟1。在ASR9K-2中配置BGP進程,這是執行路由洩漏的路由器以及需要應用配置的位置。除了建立BGP進程外,還需要使用一些network語句以確保在相應的BGP表中安裝您計畫洩漏的字首:

    RP/0/RSP0/CPU0:ASR9901-2#show run router bgp
Wed Oct 19 20:21:55.118 UTC
router bgp 100
 bgp router-id 10.10.10.10
 address-family ipv4 unicast
  network 172.16.20.0/24
 !
 address-family vpnv4 unicast
 !
 vrf ORANGE
  rd 100:100
  address-family ipv4 unicast
   network 192.168.10.0/24
  !
 !
!

RP/0/RSP0/CPU0:ASR9901-2#

    您可以看到,無需建立任何BGP鄰居關係,需要BGP將這些字首放入BGP表中。

    步驟2。配置路由策略,這些策略旨在幫助您過濾允許洩漏的字首。在本示例中,使用route-policy GLOBAL-2-VRFroute-policy VRF-2-GLOBAL

    RP/0/RSP0/CPU0:ASR9901-2#show run route-policy GLOBAL-2-VRF 
Wed Oct 19 20:37:56.548 UTC
route-policy GLOBAL-2-VRF
  if destination in (172.16.20.0/24) then
    pass
  endif
end-policy
!

RP/0/RSP0/CPU0:ASR9901-2#show run route-policy VRF-2-GLOBAL 
Wed Oct 19 20:38:10.538 UTC
route-policy VRF-2-GLOBAL
  if destination in (192.168.10.0/24 le 32) then
    pass
  endif
end-policy
!

RP/0/RSP0/CPU0:ASR9901-2#

    步驟3。配置VRF並使用import from default-vrf route-policy <policy name>export to default-vrf route-policy <policy name>命令應用在上一步建立的路由策略,如下面的輸出所示:

    RP/0/RSP0/CPU0:ASR9901-2#show run vrf ORANGE 
Wed Oct 19 20:40:38.851 UTC
vrf ORANGE
 address-family ipv4 unicast
  import from default-vrf route-policy GLOBAL-2-VRF
  import route-target
   100:100
  !
  export to default-vrf route-policy VRF-2-GLOBAL
  export route-target
   100:100
  !
 !
!

RP/0/RSP0/CPU0:ASR9901-2#

    最終驗證

    提交先前的配置後,您可以驗證從ASR9K-1(VRF ORANGE)上的子網192.168.10.0/24到路由器2911上的子網172.16.20.0/24的可達性,該子網最初發生故障。但是如果有適當的組態,這個ping測試現在成功了:

    RP/0/RSP0/CPU0:ASR9901-1#ping 172.16.20.2 vrf ORANGE
Wed Oct 19 22:07:47.897 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
RP/0/RSP0/CPU0:ASR9901-1#

    A debug ip icmp 在路由器2911上配置也可以幫助驗證路由器是否將回應回覆傳送回ASR9K-1:

    CISCO2911-3#debug ip icmp 
ICMP packet debugging is on
CISCO2911-3#
CISCO2911-3#
*Oct 19 21:34:20.069: ICMP: echo reply sent, src 172.16.20.2, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Oct 19 21:34:20.073: ICMP: echo reply sent, src 172.16.20.2, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Oct 19 21:34:20.077: ICMP: echo reply sent, src 172.16.20.2, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Oct 19 21:34:20.077: ICMP: echo reply sent, src 172.16.20.2, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Oct 19 21:34:20.081: ICMP: echo reply sent, src 172.16.20.2, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
CISCO2911-3#  

    另一個驗證是檢查字首是否出現在RIB和BGP表中,例如,GRT或default-vrf顯示下一個資訊:

    RP/0/RSP0/CPU0:ASR9901-2#show route
Wed Oct 19 22:15:03.930 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is not set

C    10.88.174.0/24 is directly connected, 1d20h, MgmtEth0/RSP0/CPU0/0
L    10.88.174.223/32 is directly connected, 1d20h, MgmtEth0/RSP0/CPU0/0
L    10.10.10.10/32 is directly connected, 04:33:44, Loopback100
C 172.16.20.0/24 is directly connected, 07:03:18, GigabitEthernet0/0/0/6
L    172.16.20.1/32 is directly connected, 07:03:18, GigabitEthernet0/0/0/6
B 192.168.10.0/24 is directly connected, 03:02:21, GigabitEthernet0/0/0/0 (nexthop in vrf ORANGE)
RP/0/RSP0/CPU0:ASR9901-2#

    RP/0/RSP0/CPU0:ASR9901-2#show ip bgp
Wed Oct 19 22:15:13.069 UTC
BGP router identifier 10.10.10.10, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000000   RD version: 5
BGP main routing table version 5
BGP NSR Initial initsync version 3 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*> 172.16.20.0/24 0.0.0.0 0 32768 i *> 192.168.10.0/24 0.0.0.0 0 32768 i

Processed 2 prefixes, 2 paths
RP/0/RSP0/CPU0:ASR9901-2#

    現在,下一個輸出顯示為VRF橙色顯示的資訊:

    RP/0/RSP0/CPU0:ASR9901-2#show route vrf ORANGE 
Wed Oct 19 22:21:24.559 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is not set

B 172.16.20.0/24 is directly connected, 01:43:49, GigabitEthernet0/0/0/6 (nexthop in vrf default) C 192.168.10.0/24 is directly connected, 07:06:38, GigabitEthernet0/0/0/0
L    192.168.10.2/32 is directly connected, 07:06:38, GigabitEthernet0/0/0/0
RP/0/RSP0/CPU0:ASR9901-2#
RP/0/RSP0/CPU0:ASR9901-2#
RP/0/RSP0/CPU0:ASR9901-2#show bgp vrf ORANGE
Wed Oct 19 22:21:34.887 UTC
BGP VRF ORANGE, state: Active
BGP Route Distinguisher: 100:100
VRF ID: 0x60000003
BGP router identifier 10.10.10.10, local AS number 100
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000012   RD version: 9
BGP main routing table version 9
BGP NSR Initial initsync version 4 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:100 (default for vrf ORANGE)
*> 172.16.20.0/24 0.0.0.0 0 32768 i *> 192.168.10.0/24 0.0.0.0 0 32768 i

Processed 2 prefixes, 2 paths

    修訂記錄

    修訂 發佈日期 意見
    2.0
    07-Feb-2023
    — 在初始驗證中新增了附加輸出
    1.0
    20-Oct-2022
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Juan Rangel
      Cisco TAC Engineer
    • Julio Jimenez
      Cisco TAC Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品